MANRS process update: fixing routing security gaps
Over 20 experts are currently rewriting the rules for the Network Operators Program under a new charter. This strategic evolution replaces ambiguity with durable references, allowing anyone to trace document history. The community now plans to use these rebuilt standards to validate Route Origin Validation adoption, building on data showing only 9 percent of participants implemented ROV by 2027 according to a community report.
Recent community surveys identified a critical lack of precision. Participants demanded stronger auditing rather than a higher bar, prompting the Global Cyber Alliance to formalize how specifications evolve. This move creates a clean baseline for reviewing programs without altering the core MANRS Actions that remain fit for purpose.
This structured approach fixes the fragmentation that has long plagued routing security initiatives. By focusing on transparency and consistency, the initiative expands the breadth of adoption among networks that currently ignore basic hygiene. Stability replaces the chaos of untracked updates, forcing the industry to confront its minimum baseline responsibilities.
The Strategic Evolution of the MANRS System
MANRS Development Process and the Global Cyber Alliance Transition
The MANRS Advancement Process codifies how routing security specifications get created and updated. This structured method replaces scattered documentation with a transparent, versioned library where every specification evolves through documented community review instead of ad hoc changes. Moving the secretariat role to the Global Cyber Alliance in 2024 accelerated this maturity, driving significant participant growth since the handover. Defining routing security as a supply-chain dependency shifts focus from voluntary best practices to auditable requirements for enterprises. Unlike broader IT frameworks, this model targets specific BGP leaks and hijacks that threaten global availability. The MANRS Evolution Process provides a clean baseline from which to review programs, keeping specifications fit for purpose while maintaining a minimum viable baseline for network operators.
| Feature | Pre-2024 Structure | Post-2024 MDP Structure |
|---|---|---|
| Documentation | Scattered web pages | Single versioned library |
| Growth Strategy | Organic | Planned via Observatory |
| Governance | Informal consensus | The working groups |
Raising standards too high excludes networks needing guidance most, yet maintaining a low barrier while enforcing strict auditing creates friction. Formalization ensures routing security remains a governable asset rather than an abstract concept.
Applying MANRS Actions Across the Global Routing Security Supply Chain
Enterprises now evaluate supplier risk decisions based on upstream filtering capabilities, defining the routing security supply chain. Joining the MANRS community requires network operators to implement four core actions: filtering, anti-spoofing, coordination, and global validation. Participation expanded from 13 networks in 2014 to over 1,300 today, yet organic monthly growth has recently flattened. This plateau forces a strategic pivot from passive enrollment to active governance of the system. Operators contribute to working groups by helping shape practical requirements under the MANRS Growth Process rather than merely consuming static rules.
A conflict exists between maintaining low entry barriers and enforcing the strict auditing large enterprises now demand for compliance. Regulations such as DORA and NIS2 are increasingly pulling suppliers into scope, making routing hygiene a vital component of vendor qualification. Stabilizing the global routing system depends on transforming participants from passive signatories into active auditors of the global routing system.
Organic Versus Planned Growth Strategies in the MANRS System
Monthly participation rates have plateaued, necessitating a pivot from organic expansion to planned growth strategies. Historical reliance on voluntary adoption yielded significant early gains, yet current data indicates that passive recruitment no longer sustains momentum. The community now deploys the MANRS Observatory to actively identify and engage non-compliant networks rather than waiting for self-selection. This shift introduces a tension between broad, low-barrier entry and the rigorous auditing required for enterprise-grade security.
| Feature | Organic Strategy | Planned Strategy |
|---|---|---|
| Recruitment | Voluntary self-enrollment | Targeted outreach via data |
| Validation | Self-reported actions | Automated API verification |
| Growth Driver | Community awareness | Enterprise risk requirements |
| Compliance | Periodic manual review | Continuous monitoring |
Operators contributing to the working group must navigate stricter validation protocols that may slow initial onboarding but improve long-term system durability. The new approach uses the MANRS API to automate compliance checks, reducing the administrative burden on the Worldwide Cyber Alliance secretariat. However, this centralization of verification creates a dependency on the accuracy of external data collectors. The community focuses on deeper participation through the MDP and elections, alongside new audiences via MANRS Enterprise and closer ties to wider Internet Integrity work. This proactive alignment prepares networks for an environment where planned growth initiatives drive broader adoption and precision.
Operational Mechanics of the New Development Process
MANRS Progress Process and Versioned Specification Library
The MANRS Advancement Process restructures every specification into a single, versioned library to eliminate documentation drift. This mechanism replaces scattered web pages with durable references that survive updates. This architectural shift ensures that Network Operators Program requirements remain stable while allowing precise auditing of changes over time.
Operators previously struggled with ambiguous baselines, but the new system mandates transparent evolution tracks for all technical documents. A working group now manages these updates under a tightly scoped charter. Consequently, the IXP Program and other initiatives gain a consistent framework for defining routing security obligations without risking scope creep.
The process establishes a clean baseline from which to review MANRS programs, prioritizing transparency, stability, and consistency. This approach ensures that specifications resemble proper documents rather than a scattered set of web pages. The result is a more resilient global routing system where mechanisms have clear, unchanging definitions. Such alignment prevents configuration errors when upstream definitions shift.
Network Operators Program Priority Versus IXP Program Scope
A high-level survey found that half of the respondents ranked the Network Operators Program as the top priority, followed by the IXP Program. This preference signals a demand for granular precision in existing rules rather than an expansion of scope. The initiative remains a minimum baseline, avoiding the exclusivity of a best-current-practice club for leaders. The strategic implication is clear: operators seek clearer auditing mechanisms to validate compliance without raising the technical barrier to entry.
| Feature | Network Operators Program | IXP Program |
|---|---|---|
| Community Priority | Top ranked by respondents | Secondary focus |
| Primary Goal | Precision and clarity | Interconnection scope |
| Implementation Target | Individual autonomous systems | Exchange points |
| Audit Requirement | Stronger verification needed | Standard validation |
The distinction affects deployment timing for protocols like ASPA validation. The survey indicates that most participants view current actions as fit for purpose, requiring improved enforcement rather than new features. The point is breadth of adoption: if most networks implemented this baseline, routing security incidents would fall significantly.
A critical tension exists between widening adoption and deepening technical rigor. The review is underway with a draft targeted for community review by the end of Q3. The optimal path forward involves strict adherence to the current baseline while enhancing the tools used to verify it. This approach ensures that growth in routing security remains inclusive yet effective.
Discussions on routing security continue to reveal that adoption remains skewed toward large providers. Research on top Fortune 500 companies in finance, health, and automotive sectors showed RPKI ROA coverage is largely lagging. Unlike general IT security frameworks, MANRS specifically targets routing threats such as BGP leaks and hijacks through precise technical actions. Tijay Chung from Virginia Tech shared new techniques for measuring ROV deployment and ASPA validation during the West Session presentations on measurement.
Operators can improve RPKI coverage by following these implementation steps:
- Treat routing security as supply-chain security that must be governed, audited, and enforced.
- Ensure risk assessments, SLAs, and vendor frameworks address routing concerns often overlooked outside telecom.
- Publish accurate ROA records to ensure legitimate traffic is not inadvertently dropped.
- Use updated training curricula focusing on network security competencies.
Regulations such as DORA, NIS2, and the Critical Entities Directive are increasingly pulling suppliers into scope, making accurate configuration necessary. While the full AS path validation introduces complexity, the community emphasizes that MANRS is intentionally a minimum baseline. Smaller operators are encouraged to implement these baseline checks to reduce the overall incidence of routing security failures.
InterLIR emphasizes that optimizing existing IPv4 resources requires complete visibility into routing security posture. Without thorough measurement, networks cannot identify partial deployments that leave infrastructure vulnerable to route leaks. The industry must shift from binary compliance checks to continuous validation monitoring to secure the global routing table effectively.
Using the Rebuilt MANRS Observatory for Validation
Defining the Rebuilt MANRS Observatory Interface and v2 API Capabilities
Alejandro Fernández-Cernuda and the Secretariat detailed upgrades to the MANRS Observatory, infrastructure first launched in 2019 by the Internet Society. This platform visualizes routing security data to enable compliance checking. The new interface delivers crisper global readiness breakdowns and per-ASN drill-downs that replace older, less granular views. Integration of the participant application process directly into the dashboard accelerates ticket resolution from weeks to days. A dual-support model maintains the legacy interface while introducing enhanced documentation. This architectural shift allows operators to embed validation checks directly into their deployment pipelines rather than relying on manual dashboard reviews.
| Capability | Legacy Interface | Rebuilt Platform |
|---|---|---|
| Data Granularity | Regional aggregates | Per-ASN drill-downs |
| Ticket Resolution | Weeks | Days |
| API Support | Basic | Enhanced Documentation |
| Extensibility | Limited | High (Planned SDKs) |
Constraint exists for operators adapting integration scripts to match updated schemas. The community must migrate compliance tooling to use enhanced error reporting. Practical benefit lies in shifting from periodic manual audits to continuous validation of filtering and anti-spoofing posture. This transition transforms the Observatory from a passive reporting tool into an active component of the network operations center workflow.
Executing Routing Security Validation via MANRS Observatory v2 API and SDKs
Automating compliance checks requires integrating the updated API into existing monitoring stacks to access per-ASN drill-downs programmatically. The rebuilt platform exposes routing data that allows engineers to verify Filtering and Anti-spoofing actions without manual dashboard inspection. Operators can now query the MANRS API to retrieve validation states for prefix announcements and AS path granularity directly within their CI/CD pipelines.
| Feature | v1 Interface | Updated API |
|---|---|---|
| Access Method | Manual Browser | Programmatic HTTP |
| Data Granularity | Aggregate Views | Per-ASN Drill-downs |
| Integration | None | Go and Python SDKs (Forthcoming) |
| Documentation | Basic | Expanded FAQ and Guides |
Developers should apply the forthcoming Go and Python SDKs to script continuous auditing of Global Validation status across peer networks. This approach transforms the public platform from a passive display into an active enforcement tool for supply chain security. Limitation lies in the transition period where the legacy interface remains supported but lacks the granular endpoints required for automated ticketing systems. Adoption of new SDKs is encouraged to use the expanded documentation and avoid reliance on legacy scraping methods. Strategic consequence of API-driven validation is the shift from periodic audits to real-time routing security governance. The Observatory provides the data, but the operator must build the logic to act upon it effectively.
Troubleshooting MANRS Observatory Access and Ticketing Workflow Bottlenecks
The rebuilt platform integrates the participant application directly, using automated checks that clear backlog items in days rather than weeks. This structural change removes the manual review bottleneck that previously delayed validation for new entrants.
| Symptom | Probable Cause | Resolution Path |
|---|---|---|
| Access Denied | Credential Scope Issue | Verify permissions via dashboard |
| Missing ASN | Incomplete Application | Submit via integrated ticketing |
| Stale Data | Cache Retention | Force refresh or wait cycle |
Academic research presented at the NDSS Symposium highlights a persistent gap between policy and practice, noting that 'MANRS Action 1' is not universally followed in real-world deployments. Relying solely on the Observatory status without verifying local Filtering rules creates a false sense of security. Treat the ticketing workflow as a trigger for internal audits, not a replacement for them. Failure to investigate the root cause of a flagged item locally will result in recurring compliance failures even after the ticket resolves.
Enterprise Adoption Strategies for Routing Security
MANRS for Enterprises as Supply-Chain Security Governance
Routing security operates as supply-chain security demanding strict governance, auditing, and enforcement. Non-telecom enterprises rarely classify routing as a direct concern, leaving such threats absent from standard risk assessments, SLAs, or vendor frameworks. Organizations now face pressure to evaluate routing security within supplier risk decisions, treating the internet routing supply chain as a critical dependency. This shift moves the model from voluntary operator action to active enterprise governance. The effort extends the earlier MANRS+ control matrix, which defines requirements for connectivity, cloud, and CDN providers.
| Current State | Required Governance |
|---|---|
| Ignored in SLAs | Covered in vendor frameworks |
| Telecom responsibility | Supplier risk decision |
| Voluntary adoption | Audited compliance |
Regulations including DORA, NIS2, and the Critical Entities Directive increasingly bring suppliers into scope, forcing the industry to define standards before external mandates arrive. A clear limitation exists: RPKI ROA coverage in finance, health, and automotive sectors remains largely lagging. Internet routing constitutes a critical dependency rather than a background utility. Neglecting this exposure leaves enterprises vulnerable regardless of internal defensive perimeters. Stakeholders shaping practical, auditable requirements may contact the Secretariat. This method ensures routing security becomes a verifiable component of third-party risk management instead of an assumed capability.
Decision Framework for Enterprise MANRS Adoption Necessity
Sector-specific regulatory mandates dictate the need for routing security evaluation. Data confirms RPKI ROA coverage in finance, health, and automotive sectors remains largely lagging. This gap persists because non-telecom enterprises rarely view routing as their concern, with incidents seldom covered in standard risk assessments or vendor frameworks. Network operators must treat the internet routing supply chain as a critical dependency requiring active governance.
Adoption necessity depends on four operational triggers:
- Regulatory scope expansion under DORA, NIS2, or the Critical Entities Directive pulling suppliers into scope.
- Supplier risk decisions demanding proof of routing hygiene from cloud and CDN providers.
- Absence of routing security coverage in current service level agreements.
- Requirement to validate upstream provider claims regarding path security.
| Trigger Condition | Risk Profile | Action Required |
|---|---|---|
| High Regulatory Scrutiny | Critical | Define good standards |
| Supply Chain Dependency | Elevated | Govern and audit dependencies |
| Lagging RPKI Coverage | Moderate | Internal gap analysis |
| No Upstream Filtering | Severe | Deploy edge validation |
Maintaining minimal baselines often conflicts with rigorous enterprise audits demanding evidence beyond simple participation. Downstream partners increasingly mandate routing security proof, forcing operators to adapt or become the weak link in a validated chain. Broad adoption of this baseline would cause routing security incidents to fall notably.
Validating Vendor Routing Security Against MANRS Baselines
Enterprises must require connectivity, cloud, and CDN providers to adhere to the MANRS+ control matrix to mitigate upstream risks. Regulatory frameworks like DORA and NIS2 increasingly treat routing integrity as a compliance requirement rather than an optional network feature. Operators should audit provider advertisements against the MANRS+ control matrix to verify adherence to minimum security baselines.
| Evaluation Criteria | Non-Compliant Vendor | MANRS Aligned Provider |
|---|---|---|
| Origin Validation | Missing or partial | Fully deployed |
| Leak Protection | Manual intervention | Automated filtering |
| Contractual SLA | Undefined | Explicitly set |
Treating internet connectivity as an unmanaged commodity creates a single point of failure that technical controls alone cannot resolve. Cost optimization often conflicts with security; cheaper transit options may lack the routing threats protection inherent in validated paths. Organizations ignoring this gap risk service unavailability during coordinated BGP incidents. InterLIR recommends embedding specific supply-chain security language in all vendor agreements to enforce accountability. Enterprises can apply available training courses to upskill staff on these verification techniques. Technical recommendations remain voluntary and frequently ignored by cost-focused providers without contractual obligations. Andrei Robachevsky introduced a potential fifth MANRS program focused on enterprises. Implementation targets 2026 for broader industry alignment.
About
Evgeny Sevastyanov, Customer Support Team Leader at InterLIR, brings necessary operational perspective to the MANRS evolution process. Leading support for a global IPv4 marketplace, his daily work involves creating and verifying RIPE database objects, managing BGP configurations, and ensuring IP reputation security. This hands-on experience with routing data integrity directly aligns with MANRS goals of securing the global routing infrastructure. At InterLIR, where maintaining clean route objects and transparent IP transfers is critical for clients in telecommunications and hosting, Sevastyanov sees firsthand how mutual agreements on routing security prevent hijacks and leaks. His background in project management and technical support allows him to bridge the gap between high-level routing policies and practical implementation for network operators. By connecting InterLIR's commitment to secure, automated IP resource distribution with MANRS initiatives, he highlights how collaborative development processes strengthen the entire system against evolving routing threats.
Conclusion
Scaling routing security reveals that voluntary adoption hits a ceiling when cost-driven providers ignore supply-chain security gaps. The operational burden shifts from technical implementation to enforcing contractual accountability across the entire delivery chain. Without mandatory verification, organizations remain exposed to upstream failures that internal filters cannot block. Enterprises must immediately mandate MANRS+ compliance in all vendor agreements before the 2026 implementation window closes. This timeline aligns with emerging regulatory pressures and the proposed fifth program targeting enterprise-specific risks. Waiting for market forces alone will leave critical paths unprotected against coordinated BGP incidents.
Start by auditing your top three connectivity providers against the origin validation and leak protection criteria this week. Demand explicit SLAs that define consequences for non-compliance rather than accepting vague assurances. The global surge in registered Route Origin Authorizations proves that regions prioritizing these controls see fewer incidents, creating a clear benchmark for expected behavior. Operators who fail to validate provider advertisements now will face increasing scrutiny from downstream partners requiring proof of a secure chain. Contact the MANRS Secretariat before May 1, 2026, if you wish to contribute expertise to the ongoing Network Operators Program review. This direct engagement ensures your specific operational challenges shape the next evolution of routing.
Frequently Asked Questions
It replaces scattered pages with a versioned library for durable references. This ensures almost 24% growth since 2024 rests on consistent, auditable standards rather than moving targets that confuse network operators.
Flat monthly participation rates forced a pivot to active governance strategies. Without this shift, the recent 24% expansion since 2024 might stall as passive recruitment no longer sustains momentum for global routing security.
Regulations like DORA pull suppliers into scope, making routing hygiene vital.
Participants demanded stronger auditing instead of a higher bar for actions.
Formal working groups now shape requirements through documented reviews globally.